[TYPO3-dev] Security Warning
Ingo Renner
typo3 at ingo-renner.com
Wed Feb 8 03:23:01 CET 2006
Am Tue, 7 Feb 2006 23:59:05 +0100 schrieb Steffen Kamper:
> Hi,
>
> i discovered the possibility to get the DB-Params still if you are not admin
> and have possibilitiy to access php-scripts, e.g. with php_page_content.
>
> Then a simple script like
>
> <?php echo "User / Passwort: ".TYPO3_db_username." / ".TYPO3_db_password; ?>
who would have guessed that? Just do not allow anyone to install these kind
of extensions and enforce that rule. EXT:page_php_content is evil.
Ingo
--
Use a newsreader! Check out
http://typo3.org/community/mailing-lists/use-a-news-reader/
More information about the TYPO3-dev
mailing list